Download the PHP package rhubarbphp/module-csrfprotection without Composer
On this page you can find all versions of the php package rhubarbphp/module-csrfprotection. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download rhubarbphp/module-csrfprotection
More information about rhubarbphp/module-csrfprotection
Files in rhubarbphp/module-csrfprotection
Package module-csrfprotection
Short Description A means to provide token based CSRF protection
License Apache-2.0
Homepage http://www.rhubarbphp.com/
Informations about the package module-csrfprotection
Module.CsrfProtection
Provides a mechanism for CSRF protection
Usage
Simply require the module using composer:
There are two types of validation provided
Header validation
Simply call the validateHeaders
method of the library to compare Origin and Referrer headers with the active request.
$request should be the active WebRequest object. If you don't have a reference to it you can get it using
This validation should be done for every POST request. It can also be done for GET requests, however it isn't recommended as it will fail on the first request a client makes to the site.
Cookie validation
This approach should be used in conjunction with header validation and compares a posted value against a previously generated random token stored in a cookie on the client.
When you output a form tag include the CSRF cookie token:
When handling the post back, validate headers and the cookie:
Handling failures
If validation fails a CsrfViolationException is thrown which should be caught and handled appropriately.